feat(chart) Allow podSecurityContext and securityContext for webhooksCleanup (#7970)

Fixes #7962 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-08-07 08:24:53 -04:00 · 2023-08-07 08:24:53 -04:00 · 0b5f9a0f25
commit 0b5f9a0f25
parent 7415c1a3d4
4 changed files with 29 additions and 0 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -60,3 +60,5 @@ annotations:
      description: allow affinity settings for cleanup jobs
    - kind: added
      description: Add helper to handle the labels for cleanup jobs, add component label
+    - kind: added
+      description: allow podSecurityContext and securityContext for webhooksCleanup
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -616,11 +616,13 @@ The chart values are organised per component.
 | webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
 | webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
+| webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod |
 | webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment |
 | webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate |
 | webhooksCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
 | webhooksCleanup.podAffinity | object | `{}` | Pod affinity constraints. |
 | webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
+| webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |

 ### Test

--- a/charts/kyverno/templates/hooks/pre-delete.yaml
+++ b/charts/kyverno/templates/hooks/pre-delete.yaml
@ -15,6 +15,10 @@ spec:
  template:
    spec:
      serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      {{- with .Values.webhooksCleanup.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
      restartPolicy: Never
      {{- with .Values.webhooksCleanup.imagePullSecrets }}
      imagePullSecrets: 
@ -31,6 +35,10 @@ spec:
              sleep 30
              kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
              kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+          {{- with .Values.webhooksCleanup.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
      {{- with .Values.webhooksCleanup.tolerations }}
      tolerations:
        {{- tpl (toYaml .) $ | nindent 8 }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -308,6 +308,9 @@ webhooksCleanup:
  # -- Image pull secrets
  imagePullSecrets: []

+  # -- Security context for the pod
+  podSecurityContext: {}
+
  # -- Node labels for pod assignment
  nodeSelector: {}

@ -323,6 +326,20 @@ webhooksCleanup:
  # -- Node affinity constraints.
  nodeAffinity: {}

+  # -- Security context for the hook containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
 grafana:
  # -- Enable grafana dashboard creation.
  enabled: false